Filed under: Security, Mozilla, Browsers
Firefox security questioned again as another exploit surfaces
It's only been a couple days since the Firefox 3.5.1 update was released to address a critical vulnerability in the Javascript JIT compiler and there's already a new exploit causing quite a ruckus. You can actually hear the chuckles coming from Redmond if you listen closely.
It would be unreasonable to assume that the first patch for Firefox 3.5 would make it bulletproof. Still, after the long delays that proceeded its release the rapid discovery of two such vulnerabilities is a bit surprising. Past releases of the browser have had their share of security issues as well, but as Firefox becomes more popular its security shortcomings are going to be much more publicly exhibited.
It's interesting to note that Secunia has still yet to post a single exploit for Chrome 3. If you're security minded, now might be a good time to take it for a test drive.
[via Security Focus]
I don't know if this is a labor of love or merely the brainchild of four very gifted games designers, but Level Up is a really weird mash-up of gaming elements that you have probably never seen in a Flash game before.
Let's start with the premise itself: Groundhog Day meets Memento. The game experience revolves around 'days': you explore the world and the clock slowly ticks towards the evening. You bounce around picking up gems and talking to the denizens of 'Level Upland'. Eventually you feel tired and head back to ...
Reader Comments (Page 1 of 1)
Simon said 1:02PM on 7-19-2009
It seems to me that Mozilla let the pressure of getting 2.5 out of the door get to them. It's been no end of hassle for me on OSX. Slow, unstable, taking ages to launch, sluggish Javascript performance. A huge step backwards compared to the previous release. And that's not taking into account the security issues.
On the subject of security, the answer seems pretty obvious. FireFox is rapidly becoming a viable target for security firms to test and exploit writers to exploit. It's no longer a bit-part player. We knew that eventually this would happen, and FireFox would garner enough users to make it a target, and it looks like that just happened. And bear in mind, it's just not exploit writers who are out to make a name and money for themselves, it's the security companies as well.
Reply
Lee Mathews said 1:06PM on 7-19-2009
Well put, Simon...Things like this definitely go unpublicized for less widely-known apps. Just take a look at Opera 9's list of holes on Secunia: http://secunia.com/advisories/product/10615/?task=advisories
Does it get talked about? Not really, because Opera is still a relatively small player. If they had 30% share, you can bet we'd here all about them.
Rocketboy said 6:37AM on 7-20-2009
Here's another reason that Opera security holes may not be talked about much..
"Currently, 0% (0 out of 22) are marked as unpatched."
der_tuxman said 1:32PM on 7-19-2009
Chrome is not open source (Chromium is, however), so it's harder to find security holes here. That doesn't mean that it has less of them.
(The "phoning home" is a security hole btw.)
Reply
El Cid said 2:21PM on 7-19-2009
> Does it get talked about? Not really, because Opera is still a relatively small player. If they had 30% share, you can bet we'd here all about them.
Interesting and yet when this same logic is applied to Apple computers it's attacked.
Reply
KeegdnaB said 2:38PM on 7-19-2009
You're ALWAYS gonna find another security hole....in ANY browser.
The key is that Mozilla is always on top of it, and if they find something they patch it.....quickly. How long do IE and (even worse an offeneder) Safari go once something is found?
Reply
Kenn.keeper said 4:11PM on 7-19-2009
There will always be those who love to create havock on those who just want to enjoy anything in life. They are basically un-happy with themselves and try to force others to be like them. Most of these idiots will learn one day that what goes around, comes around and the more that they are mentioned the more they will do.
They are the answer to why stupid people shouldn't breed....
Free is Good
Kenn.....
Reply
rg said 8:16AM on 7-21-2009
I am sniffing a lot of slow bias these days introduced by our dear Google. I would like to humbly request it not to follow Windows and Gates.
Reply
Asa Dotzler said 4:19PM on 7-19-2009
This is a browser out of memory crash. There is no evidence that this is exploitable while all evidence points to it not being exploitable. Pretty much all browsers crash from this but that doesn’t mean that it’s a security issue.
Reply
Roy Williams said 6:44PM on 7-19-2009
It's important to note that the open source community is essentially white box and they are not entirely at fault. The nature of open source software is that it is open therefore prone to security issues that closed or black box software does not share as much. However, since in most circumstances they are not as popular or if they are popular, they don't discuss all the possible problems with their applications in their release notes to the public. When you compare browsers and the development of the open community they scrutinize what the code and application does in a working environment more often than a black box product ever could. So the likelihood of a exploit that doesn't get patched is low and more often a contest to see who can patch the most security exploits than the next. So hackers must be more in tune with the community and hope that their exploit isn't caught by the team of developers attacking the problems. You could argue black box products can do the same. But here is the issue, is a small team or even a large team going to be able to accept the same level of help from outsiders as a white box application in the support of the open source community? I don't think so and if Bugzilla and any of the other bug tracking system the open community uses is worth any merit look how many bugs they fix on the daily.
Reply
Mike Shaver said 6:47PM on 7-19-2009
Have you seen much evidence of attackers using source analysis to find security bugs? In my experience with Mozilla, virtually all security issues found by people outside the project are found using the same black-box techniques as are employed on proprietary software. One difference, though, is that we report all security issues we find, even if they are never published by anyone else, so naive comparison of "known bugs" can be misleading.
Roy Williams said 8:21PM on 7-19-2009
My main point, in making a comment in the first place is to make sure that everyone understands that finding and stopping a bug is no reason to bash a piece of software. However, finding a bug and never patching is definitely reason to bash the application. As far as I'm concerned Firefox is still solid software regardless of the ugly comments made. If you have someone who has malicious intent and time they can resort to source analysis to break a target application. Although lengthy they would indeed have a plan in that case. I haven't seen too many documented cases of this happening. It's usually when the end user and system administrators don't patch their systems against known attacks that things more or less turn into a nightmare. I do not disagree on that issue. However, it is good they are patching their software and actively updating it.
Mike Shaver said 6:44PM on 7-19-2009
This report is incorrect. The bug in question is not exploitable, and in fact doesn't even crash FF3.5 on Windows. Please see http://blog.mozilla.com/security/2009/07/19/milw0rm-9158-stack-overflow-crash-not-exploitable-cve-2009-2479/ for more details, and feel free to contact press@mozilla.com if you have questions about future security (or other) reports that you read. We all do better when we don't have to spend time and energy responding to false reports. :-(
Reply
Quikboy said 7:57PM on 7-19-2009
I hope this shows users that IE isn't the only browser that is capable of being vulnerable to web attacks.
Reply
Phil said 9:15PM on 7-19-2009
Point against Security Focus for publishing wrong information and worst exploting it as a big new, for me it rests credibility to it as a news sources.
And in the other hand (the editor side) its a good advice to check several sources before posting an article, specially when its done with this kind of tone.
Re:"You can actually hear the chuckles coming from Redmond if you listen closely."
Since IE is built in activex they have no word in security terms so they can chuckle all they want, anyway mozilla doesn´t need "unpresentable promotions" to make people use it.
And finally I don´t get where does that mood with Mozilla comes from. There is an article about a new security problem and the first to post are the peeved people, mostly chrome and safari fans talking against other browsers every time they can, while google corporation gathers more data from chrome users (you better use iron) and safari it´s not much better.
Reply
gojeda said 10:56PM on 7-19-2009
Kudos to Lee for finally being even-handed in his reportage on browser security.
Reply